Thanks. Appreciate the feedback.
From my readings of RHEL submissions to NIST for FIPS-140-2 reviews, most dated after Sept 2012;
it appears that /dev/urandom is being referenced in various security modules as the primary seed mechanism.
It will take some careful reading to determine if /dev/urandom may be used, as is, for vendors default installations on UNIX/Linux.
I would still wish to use the RNGD tool set to ensure the population of randomness is large;
as not to stop production functionality and ensure a high level of confidence that the business has not been exposed.
*** ***
NIST References: With select remarks pulled regarding FIPS and /dev/urandom
Red Hat Enterprise Linux 6.2 OpenSSH Server Cryptographic Module v2.1
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1792.pdf
Random Number Generation
A FIPS 140-2, ANSI X9.31 approved pseudo random number generation mechanism will be used in the module, called from OpenSSL, which is seeded by the kernel.
The kernel uses /dev/urandom as a source of random numbers for RNG seeds. The Linux kernel initializes this
pseudo device at system startup. SSH_USE_STRONG_RNG is a positive integer that must be greater or equal than 6 to be honored. That integer value specifies the number of bytes obtained from /dev/random and mixed into the DRNG state via the OpenSSL RNG RAND_add API call. Further state that this variable can be set in /etc/sysconfig/sshd as this file is sourced by the sshd start script.
Please refer to the Red Hat Enterprise Linux – OpenSSL Module v2.0 FIPS 140-2 Security Policy, Section 6.1,
“Random Number Generation.”
Self Tests
FIPS 140-2 requires that the module perform self tests to ensure the integrity of the module and the correctness
of the cryptographic functionality at startup. In addition, some functions require continuous verification of
function, such as the random number generator. All of these tests are listed and described in this section
Red Hat Enterprise Linux 6.2 Libgcrypt Cryptographic Module v2.1
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1757.pdf
6.1 Random Number Generation
A FIPS 140-2, ANSI X9.31-approved pseudo random number generation mechanism using AES 128 will be
used in the module.
The random number generator is keyed and seeded with data that is loaded from the /etc/gcrypt/rngseed if the
device or symlink to device exists xored with the data from the /dev/urandom device. This allows the system
administrator to always seed the RNGs from /dev/random if it is required
The integrity check is performed by the Red Hat Enterprise Linux OpenSSL module utility fipscheck. The version
is 1.2.0-1.el5, and fipscheck-lib version is 1.2.0-1.el5 HMAC/SHA-256.
When the module starts, it exercises the power-on self-test including the software integrity test. The software
integrity test (HMAC-SHA256) constitutes a known answer test for the HMAC-SHA256 algorithm.
The user space integrity verification is performed as follows:
The OpenSSH server application links with the library libfipscheck.so which is intended to execute
fipscheck to verify the integrity of the calling application file using HMAC SHA-256. Upon calling the
FIPSCHECK_verify() function provided with libfipscheck.so, the fipscheck application is loaded and
executed, and the following steps are performed.
OpenSSL as loaded by fipscheck performs the integrity check of the OpenSSL library files using
HMAC SHA-256.
SUSE Linux Enterprise Server 11 SP2 - OpenSSL Module v0.9.8j
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1930.pdf
Red Hat Enterprise Linux 5 OpenSSH Server Cryptographic Module v1.1
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1384.pdf
Red Hat Enterprise Linux 6.2 Openswan Cryptographic Module v2.0
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1859.pdf
Additional reading:
Very informative article from Solaris Security Engineer, Darren Moffat
Solaris Random Number Generation By darrenm on Sep 12, 2013
https://blogs.oracle.com/darren/entry/solaris_random_number_generation
Regards
Alan Baugher